Overview

File U_tigervnc-fix-buffer-overflow-in-ModifiablePixelBuffer-fillRect.patch of Package tigervnc.5211

Git-commit: 18c020124ff1b2441f714da2017f63dba50720ba
Patch-Mainline: Upstream
References: bnc#1019274
Author: Michal Srb <michalsrb@gmail.com>
Subject: [PATCH] Fix buffer overflow in ModifiablePixelBuffer::fillRect.

It can be triggered by RRE message with subrectangle out of framebuffer
boundaries. It may prevent the same kind of issue caused by evil message
from another encoding too.

Index: tigervnc-1.4.1/common/rfb/PixelBuffer.cxx
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/PixelBuffer.cxx
+++ tigervnc-1.4.1/common/rfb/PixelBuffer.cxx
@@ -102,14 +102,26 @@
   U8 *buf;
   int w, h, b;

-  w = r.width();
-  h = r.height();
+  Rect drect;
+
+  drect = r;
+  if (!drect.enclosed_by(getRect())) {
+    vlog.error("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d",
+               drect.width(), drect.height(), drect.tl.x, drect.tl.y, width_, height_);
+    drect = drect.intersect(getRect());
+  }
+
+  if (drect.is_empty())
+    return;
+
+  w = drect.width();
+  h = drect.height();
   b = format.bpp/8;

   if (h == 0)
     return;

-  buf = getBufferRW(r, &stride);
+  buf = getBufferRW(drect, &stride);

   if (b == 1) {
     while (h--) {
@@ -138,7 +150,7 @@
     }
   }

-  commitBufferRW(r);
+  commitBufferRW(drect);
 }

 void ModifiablePixelBuffer::imageRect(const Rect& r,
openSUSE Build Service is sponsored by
Places